Closed Bug 921553 Opened 8 years ago Closed 8 years ago

Fix some rooting hazards that crept into bindings code

Categories

(Core :: DOM: Core & HTML, defect)

x86
macOS
defect
Not set
normal

Tracking

()

RESOLVED FIXED
mozilla27

People

(Reporter: bzbarsky, Assigned: bzbarsky)

Details

Attachments

(1 file)

Two things.

1)  UnionTypes.cpp ends up with code like this:

    nsresult rv = 
      UnwrapObject<prototypes::id::HTMLVideoElement,
                   mozilla::dom::HTMLVideoElement>(
        cx, &value.toObject(), SetAsHTMLVideoElement());

The second arg is a hazard if the third arg gcs.  We should just store that third arg in a stack temporary before we do this code, so we end up with something more like this:

    OwningNonNull<mozilla::dom::HTMLVideoElement>& memberSlot =
      SetAsHTMLVideoElement();
    {
      nsresult rv = 
        UnwrapObject<prototypes::id::HTMLVideoElement,
        mozilla::dom::HTMLVideoElement>(
          cx, &value.toObject(), memberSlot);

2) ConvertJSValueToByteString has an unrooted JSString on the stack that I think is in fact safe, but it's easy enough to shut up the analysis here by rooting it... and safer in the long run.
Whiteboard: [need review]
Attachment #811245 - Flags: review?(peterv) → review+
https://hg.mozilla.org/integration/mozilla-inbound/rev/2c7230203ec2
Flags: in-testsuite+
Whiteboard: [need review]
Target Milestone: --- → mozilla27
https://hg.mozilla.org/mozilla-central/rev/2c7230203ec2
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Component: DOM → DOM: Core & HTML
You need to log in before you can comment on or make changes to this bug.